In the world of international business, there is a silent engine humming beneath the surface of every Zoom call, credit card swipe, and cloud-based collaboration. That engine is data. At the 2026 IAPP Global Summit in Washington, D.C., officials from both sides of the Atlantic gathered to check the temperature of the EU-U.S. Data Privacy Framework (DPF)—and the stakes couldn’t be higher.
As Alex Greenstein, Director of the International Trade Administration’s DPF, put it: “You have a 9.8 trillion-dollar trans-Atlantic economic relationship and a lot of that does depend on the ability to transfer data.”
If data is the fuel for this economy, the DPF is the pipeline. Here is the current state of play for the agreement keeping the digital world connected.
1. The Small Business Lifeline
For years, the “Big Tech” giants have had the resources to navigate complex legal hurdles like Standard Contractual Clauses (SCCs). But for the little guy, those hurdles were often too high. The DPF is changing that math.
Greenstein noted that the framework is a game-changer for smaller organizations because “the DPF is relatively easily applied, and it is readily scalable. It really does provide a particularly valuable proposition for small and medium enterprises that are looking to step out internationally.”
The numbers back this up. Of the 3,500+ companies currently signed on, 62% are small-to-medium enterprises, and nearly half have fewer than 100 employees. For a fee that can be as low as $260, small businesses are finding a seat at the global table.
2. The “Belt-and-Braces” Compliance Trend
Interestingly, even the giants aren’t putting all their eggs in one basket. Despite the DPF being active, many well-resourced companies are choosing to keep their old SCCs in place while also joining the DPF.
Greenstein described this as a “belt-and-braces approach where they are using standard contractual clauses as their primary method of compliance.” Why do both? According to Greenstein, companies may see the DPF “as a gap-filler to cover things that they don’t have 100% visibility on their contractual arrangements or need that additional assurance.”
3. Enforcement: It’s Not Just a Paper Tiger
There has been a lingering question: Is the DPF actually being policed? The Department of Commerce is increasingly using “spot checks” to ensure companies aren’t just paying the fee and ignoring the principles.
“When we have negatively available information, we send out questionnaires to the company asking them how (their actions) comport with their commitments under the DPF,” Greenstein explained. He warned that if issues aren’t fixed, they get sent to federal enforcers, though he noted that “By and large, companies would want to work proactively so they do not need to go down the route of having an enforcement action brought against them.”
4. The View from Europe: A Focus on the Future
From the European perspective, the focus is shifting from “setting up the system” to “watching it work.” Louisa Klingvall of the European Commission highlighted that the initial 2024 review was about building the foundation.
“In this first review, we really looked at having institutional and organizational structures in place because it was only one year after establishing the system,” Klingvall said. “It’s very important to hear from the voices that are using the systems and look out for those concerns, and so it was a very thorough exercise.”
The real test comes in 2027. Klingvall noted that “the next review is likely to look more on the enforcement side and how things are looking in practice.”
5. The First Legal Tests
Perhaps the most critical piece of the DPF is its redress mechanism—the ability for EU citizens to challenge how their data is handled via the U.S. Data Protection Review Court. We are already seeing the first ripples of this in action.
Greenstein confirmed that two qualified complaints have been lodged. While he couldn’t share specifics, he stated, “These were cases that were found to meet the criteria established under the redress mechanism. Those were received and processed according to the rules established by how the redress mechanism is supposed to function.”
DPF’s Uncertain Future
The DPF isn’t just a legal document; it’s a living infrastructure for a nearly $10 trillion relationship. Whether you are a small startup or a multinational corporation, the message from the summit was clear: the framework is gaining momentum, but the world is watching closely to see if it can withstand the scrutiny of the next few years.
